Minutes of the MiniTOP on the 2012-05-08

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: Magu, Marcus, Uli, Michael, dirk

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Software/Assessment/ActionItems

Development, Deployment, Discussion

  • OAO, Ted

    bug #943 change OA admin/assurer text

    needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected

    {-}

    uli, Ted

    bug #824 Org User cert fix Case study

    Organisation User Certificates: Need UI improvement for proper production usage

    {0}

    uli, ted

    bug #823 email address removal fix

    No warning when removing e-mail address from account that certificates will be revoked
    checked by 4, needs 2nd review, deploy
    rejected

    {-}

    inopiae

    bug #920 Join - single name only (eg Indonesian)

    details under bug number

    {0}

    uli

    bug #859 admin console interface

    feature request: show activity on an account in the admin interface
    rejected, certs login doesn't modify "modified" field

    {r}

    Michael

    bug #540

    p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
    uli, marcus: needs full cert create tests
    duplicate report to bug#978
    tested by 3, 2nd review done, transfered
    Ken reported: still has problems, bug kept open

    {0}

    gagern, NEO

    bug #440 Problem with subjectAltName (CSR, renew certs)

    There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development

    {r}

    neo

    bug #1025 Domain Dispute issue

    disputes rc and rc2 var prob
    needs work

    {r}

    dirk

    bug #1054 0001054: Review the code regarding the new point calculation

    Thawte patch part II
    needs further work

    {r}

Software Assessors: Review 1 / add to cacert-devel, add to testserver

  • Software-Assessors task

Testing

  • Testers task

    neo

    bug #1004 Stats page improvement

    tested by 2, needs 2nd review

    {0}

    neo

    Bugs #1159 it might be possible to execute commands on the signing server

    {0}

    inopiae

    bug #1065 Wrong wording when sending mails during the assurance process

    {0}

    inopiae

    bug #1162 calcutate (the passwords) hash in php instead of in mysql

    create test scenarios for the software testers /!\
    Full testing /!\

    {0}

    inopiae

    bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails

    {0}

    inopiae

    bug #988 TTP cap form deployment

    {0}

Software Assessors: 2nd Review, Bundle Package to Critical Team

  • Software-Assessors task

    Ted

    bug #500 Get contact mail adress after resolving test

    tested by 3, requires review

    {0}

    Ted

    bug #1140 Show if a test is passed in learnprogress

    tested by 3, requires review

    {0}

    magu

    bug #1131 Rename _all_ Policies from .php to .html and fix all links

    global policy directory maintenance and update

    {0}

    inopiae

    bug #1010 Reorder the view on organisation certificates

    tested by 3

    {0}

Software Assessors: Bundle Package to Critical Team

  • Software-Assessors task

    inopiae

    bug #1139 Add new fields to the database

    tests through #500 and #1140, 2nd review done, requires transfer

    {0}

Awaiting Response from Critical Team

  • inopiae

    bug #411 Wrong text is made into link

    {g}


Agenda

1. Preface

  1. dirk topics
    1. Cebit brainstorming
      • dirk: request for events report
      • (2012-03-27) Marcus awaiting translation from Marc
      • (2012-04-03) Marcus will do upcoming (easter) weekend
      • (2012-04-17) no update
      • (2012-04-24) no update
  2. new action item from last meeting, who picks up this task? create new bug# ?
    • ?

      cap.php review different languages

      from meeting 2012-04-24

      {0}

  3. dispute cases
    • new bug: bug #1038 Provide a script for board/tverify reset flags by arbitration a20110118.1

    • re bug #1003 Permissions review script, to incorporate new intermediate ruling

2. Software-Assessment

  1. Software-Assessment teamleader?
    • to propose to board and approved by board
  2. Software-Assessors candidates
    • Problem:
      • 2nd review of 4 patches cannot be reviewed by NEO, dirk is busy, so only Ted avail, Markus inactive
    • candidate to contact by ...
      • kotek? (-> neo) - neo is doing reviewing

      • aphexer? (-> ?)

      • bjoern? (-> magu) - what attracts programming for CAcert?

      • willm (-> neo) (xing contact, developer), will contact next

      • stephan (-> marcus)

    • reactivte PG?
    • how we get SA attractive?
      • Marcus: blockers? eg. dpa
      • dirk: newsletters, last one last year
        • 2nd one should be 3 months later about security settings, now its about 5-6 months later
      • open dpa discussion (uli: added to next board meeting agenda), not yet continued

3. bug #1023 Testing (6.php)

  1. Thawte points removal, final step
    • relates to 6.php
    • this also relates to TTP
    • dirk will work on this last weekend (2012-01-21)
    • current state: not yet finished
      • expected finishing? upcoming weekend (2012-01-23 to 2012-01-30)
      • not finished, upcoming weekend 2012-02-06?
      • not finished, last weekend 2012-03-12?
      • 2012-03-13: new bug#1023 bug#1023

      • transfered to git cacert
      • to test:
        • assure someone
        • w/ and w/o ttp
        • in all variations
      • Added to testserver Tue 13.3., Wed 14.3.

      dirk

      bug #1023 Consolidate changes into the Assure Someone page

      6.php global re-design project
      assurance, wot area (Thawte points removal effective)

      {0}

    • current state: patch removed from testserver, needs work (DEV)
    • (2012-03-27) back on testserver: bug #1023 (6.php), has a bug, needs work
    • 2 new bugs within meeting 2012-03-27
    • (2012-04-03) bugs analyze, empty results analyse, new patch transfered to testserver
    • current state 2012-04-17
      •   * dirk: didn't we concluded 14 days ago, that the current patch state is the revision similar on the production system
          * potential bugs on production system can be identified against wot.php on testserver (-> diff wot.php, if no difference bugs are also in production system)
          * Michael: diff is empty, this means wot.php is identical between production and testserver
          * Michael: didn't pushed one patch, as it has at least one error
          * Michael: fix and push to git / testserver, patch is transfered to testserver
          * testing: failures occured
          * last time we've added method transfer
           * if board=1, method empty -> results in garbage in database
          * new bug, that methods aren't checked that needs to be checked [[https://bugs.cacert.org/view.php?id=1032|bug#1032]]
          * req by Marcus to add maxpoints limit definition: 35 assurance points (by AP) in a f2f meeting, upto 50 assurance points possible though a subpolicy (currently none available), new bug [[https://bugs.cacert.org/view.php?id=1033|bug#1033]]
    • #1033 passed to production
    • 2012-04-24: 2nd review by neo bug #1023 (6.php) (next time)

    • 2012-05-05: dirk_: @neo ... is the review of 6.php done? / NEOatNHNG: almost

4. testing of certs patches

  1. bug#440 Problem with subjectAltName (CSR, renew certs)

    • "There seems to be a problem with the subjectAltName. Dupes, missing entries, and more"
    • patch by gagern
    • Software-Assessors: needs 1st review + transfer to testserver (week 4)
    • (2012-01-23) michael picked up
    • Whats about bug#440 vs. bug#540 ?

  2. bug #812 CAcert certificate not working with Windows Encrypting Filesystem (EFS)

  3. bug #905 Unable to sign PDF file with Acrobat

5. 2nd review of about 7 patches

6. continue BlackJack coding by Michael

  1. bug#964, bug#918 (Part II) Codename "BlackJack" - VBscript for Vista/Win7 (select keysize >= 1024)

    • x1 Dirk, new bug#964
      DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV

      current state: test /account/4.php added to testserver
      Marcus will do detailed tests on Wed
      some references added to bug#964

      {0}

    • as part of
    • x1 Arbitration case a20110312.1 Weak keys bug #918 / bug #954 / bug#964

    • Current state:
      • {g}

        pre mailing sent

        {g}

        keys revocation script to bulk revoke weak keys, new bug #954, finished

        {-}

        dirk: DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV
        vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024)
        Api CertEnroll (MS crypto provider)
        new bug#964
        current state: test /account/4.php added to testserver
        Marcus will do detailed tests on Wed
        some references added to bug#964 - codename "BlackJack"

        {g}

        Weak keys blog post, published

        {g}

        Weak keys article published by Hanno(July 28), link is in CAcert's blog post (July 30)

        {b}

        weak keys: problems with cryptostick (to test at Froscon with Juergen ?)

    • cert enroll infos under bug#964

    • vista and win7 works with other engine !CryptoAPI (?) => Cryptography API: Next Generation

    • dirk: has not started the virtual machine
    • Question from Marcus: did someone contacted illuminat?
      • No, Marcus: to contact illuminat
      • illuminat will give it a try, first needs download of testserver image
    • Update?
      • marcus: illuminat not yet seen last time
      • baseline requirement - keyssize >= 2048 to fix till end of 2011

      • how to proceed?
      • dirk: 1st step, to bring win test server localy online
      • marcus: to contact illuminat
      • Do we have other developers who may pick up this project?
    • Marcus -> dirk: announcement of vbscript bug to developers mailing list

      • change keysize
      • merge 2 scripts to one
      • fix on script 1 needs fix in 2nd script too, solutions: include, one file, or comment fix script 2 too
    • interrupt: bug#964 -> codename "BlackJack"

      • relates to IE8 problem, that certs cannot be created
      • is there a security issue with available fix? also bug#918

      • related 927, 901, 847
      • a patch is online on testserver, but cannot found
      • related patch files, /pages/account/ 3,4,16,17; /include/account.php
      • there are other vbscript pages: ../account/ 6 + 19
    • Brian bug#964

      • Michael: Marcus to test with IE
      • IE select provider only
    • code from Brian needs some corrections, corrections to do, 4 + 17 inclusions, checkin
      • notification to Brian, done
      • quickfix has problems too
      • next step(s)
        • check error codes / debug routines
        • open developer mode, create cert
          • resulting error: line 213, put length, wrong parameter
            Zeile: 213
            Fehler: CertEnroll::CX509PrivateKey::put_Length: Falscher Parameter. 0x80070057 (WIN32: 87)
            Zeile 213:  objPrivateKey.Length = &h08000000
    • current state: an undef error with current patch
      • we need someone who has experience with vbscript, to come into telco, reviews interface/api beforehand
        • illuminat: not before eastern
        • marcus: will ask users on assurance party Wed 18th Jan
    • 2012-01-23:
      • also cabforum requirement, keysize under IE limited to 1024
      • how to find programmers ?
        • windows webserver programmers: Outlook, Citrix portals
      • new API's can use java, new apis have web-enabled
      • splitting vbscript for os revisions < vista, java for os revisions >= vista ?

    • NEO started development, not yet finished
    • next: for XP: rewrite vbscript to JavaScript

7. next meeting

Minutes

  1. Preface
    1. request for bitcoin account ?
      • currently not available
    2. dirk topics
      1. Cebit brainstorming
        • dirk: request for events report
        • (2012-03-27) Marcus awaiting translation from Marc
        • (2012-04-03) Marcus will do upcoming (easter) weekend
        • (2012-04-17) no update
        • (2012-04-24) no update
        • (2012-05-08) no update
    3. new action item from last meeting, who picks up this task? create new bug# ?
      • Marcus

        cap.php review different languages

        from meeting 2012-04-24

        {0}

        • translations problem, response from translators needed
        • encoding problem
        • Marcus picks up this task
    4. dispute cases
      • new bug: bug #1038 Provide a script for board/tverify reset flags by arbitration a20110118.1

      • re bug #1003 Permissions review script, to incorporate new intermediate ruling

    5. disputes.php problems (by Marcus)
    6. events planning
      • Sigint, LT2012 preparations
      • req Marcus 2 uli: Perl conf, info to Carsten
  2. Software-Assessment, part 1
    1. Software-Assessment teamleader?
      • to propose to board and to be approved by board
      • Magu: candidate NEO
      • Marcus: candidate NEO
      • Uli: 2nd and aye
      • Dirk: 2nd and aye
      • Magu: aye
      • Marcus: aye
      • NEO: abstain
      • 4 aye, 1 abstain, carried
        • add to next agenda
  3. Internship project discussions
    • general structure given (by board)
  4. Software-Assessment, part 2
    1. Software-Assessors candidates
      • Problem:
        • 2nd review of 4 patches cannot be reviewed by NEO, dirk is busy, so only Ted avail, Markus inactive
      • candidate to contact by ...
        • kotek? (-> neo) - neo is doing reviewing

        • aphexer? (-> ?)

        • willm (-> neo) (xing contact, developer), will contact next

        • stephan (-> marcus)

      • reactivte PG?
  5. dirk: newsletters, last one last year
    • 2nd one should be 3 months later about security settings, now its about 5-6 months later
    • main topic "Security"
      • weak keys
      • weak passwords
      • backup for lost passwords
      • openssl prob
      • php prob
      • probably more
  6. testing of certs patches
    • #540 needs 2nd review
    • #978 needs 2nd review
    • #440, only one test
  7. bug #1023 Testing (6.php)
    • Neo walks through code with dirk
  8. NEO 2 dirk: next patch to review: 1003, permission review
  9. next meeting
    • Tuesday, May 22, 2012 22:00 CEST

Post Meeting notes

  1. Software-Assessment, part 3
    1. Software-Assessment teamleader?
      • late votes by email
        • Michael as Software-Assessment t/l to propose to board and to be approved by board
        • Markus: aye

Fixed Action Items since last or within meeting


Action Items New

Action items: Meeting Action Items


Software/Assessment/20120508-S-A-MiniTOP (last edited 2012-05-09 07:33:50 by UlrichSchroeter)